昨日公布结果,应该可以把Write up放出来啦~ 自己还是好菜…….

bang

2018年的梆梆加固免费版

找到个工具可以脱https://github.com/hluwa/FRIDA-DEXDump

脱壳得一个dex,用JEB3 直接可以打开,发现flag

bang-flag

flag{borring_things}

jocker

omg解出来一个假的flag,真正flag在

jocker-encrypr-final

encrypt函数经历了代码自修改

jocker-encrypr-a-code

IDA patch脚本:

import ida_bytes

ida_bytes buf = map(ord, ida_bytes.get_bytes(0x0401500, 186))
buf = map(lambda x: x ^ 0x41, buf) ida_bytes.patch_bytes(0x0401500,str(bytearray(buf)))

Patch完发现是个简单异或

jocker-encrypt-code

这里解出前半段 ,后半段在finally

jocker-final-code

这里猜了一下应该也是简单异或,直接拿最后一个异或‘}’,得到71,然后全部异或71

拿到flag

def omg(flag):
for i in range(24):
if i & 1:
flag[i] += i
else:
flag[i] ^= i
print(''.join(list(map(chr, flag))))


find_me = list(map(ord, "hahahaha_do_you_find_me?"))

cmp = [0x66, 0x6B, 0x63,
0x64, 0x7F,
0x61, 0x67, 0x64,
0x3B, 0x56,
0x6B, 0x61, 0x7B,
0x26, 0x3B,
0x50, 0x63, 0x5F,
0x4D, 0x5A,
0x71, 0x0C, 0x37,
0x66]

# print(len(cmp))

omg(cmp)

real = [0x0E, 0x0D, 0x09,
0x06, 0x13,
0x05, 0x58, 0x56,
0x3E, 0x06,
0x0C, 0x3C, 0x1F,
0x57, 0x14,
0x6B, 0x57, 0x59,
0x0D]

for i in range(len(real)):
real[i] ^= find_me[i]


print(''.join(list(map(chr, real))), end="")

v3 = ['0'] * 5
v3[0] = '%'
v3[1] = 't'
v3[2] = 'p'
v3[3] = '&'
v3[4] = ':'


for i in range(len(v3)):
print(chr(ord(v3[i]) ^ 71), end="")

flag{d07abccf8a410cb37a}

singal

IDA 打开,主逻辑是个虚拟机,观察了一下,主流程就是加减乘除异或,最后进行对比,那么直接模拟流程,用z3暴力解即可

from z3 import *
x = [BitVec("x%d" % i, 8) for i in range(15)]
res = x[:]
op = [0x0000000A, 0x00000004, 0x00000010, 0x00000008, 0x00000003, 0x00000005, 0x00000001, 0x00000004, 0x00000020, 0x00000008, 0x00000005, 0x00000003, 0x00000001, 0x00000003, 0x00000002, 0x00000008, 0x0000000B, 0x00000001, 0x0000000C, 0x00000008, 0x00000004, 0x00000004, 0x00000001, 0x00000005, 0x00000003, 0x00000008, 0x00000003, 0x00000021, 0x00000001, 0x0000000B, 0x00000008, 0x0000000B, 0x00000001, 0x00000004, 0x00000009, 0x00000008, 0x00000003, 0x00000020, 0x00000001, 0x00000002, 0x00000051, 0x00000008, 0x00000004, 0x00000024, 0x00000001, 0x0000000C, 0x00000008, 0x0000000B, 0x00000001, 0x00000005, 0x00000002, 0x00000008, 0x00000002, 0x00000025, 0x00000001, 0x00000002, 0x00000036,
0x00000008, 0x00000004, 0x00000041, 0x00000001, 0x00000002, 0x00000020, 0x00000008, 0x00000005, 0x00000001, 0x00000001, 0x00000005, 0x00000003, 0x00000008, 0x00000002, 0x00000025, 0x00000001, 0x00000004, 0x00000009, 0x00000008, 0x00000003, 0x00000020, 0x00000001, 0x00000002, 0x00000041, 0x00000008, 0x0000000C, 0x00000001, 0x00000007, 0x00000022, 0x00000007, 0x0000003F, 0x00000007, 0x00000034, 0x00000007, 0x00000032, 0x00000007, 0x00000072, 0x00000007, 0x00000033, 0x00000007, 0x00000018, 0x00000007, 0xFFFFFFA7, 0x00000007, 0x00000031, 0x00000007, 0xFFFFFFF1, 0x00000007, 0x00000028, 0x00000007, 0xFFFFFF84, 0x00000007, 0xFFFFFFC1, 0x00000007, 0x0000001E, 0x00000007, 0x0000007A]
s = Solver()

index = 0
j = 0
t = 0
check_num = [0 for i in range(100)]
check_numi = 0
check_numj = 0

ip = 0
while (ip < len(op)):
if op[ip] == 1:
check_num[check_numi] = t
ip += 1
index += 1
check_numi += 1
elif op[ip] == 2:
t = x[index]+op[ip+1]
ip += 2
elif op[ip] == 3:
t = x[index]-op[ip+1]
ip += 2
elif op[ip] == 4:
t = x[index] ^ op[ip+1]
ip += 2
elif op[ip] == 5:
t = x[index]*op[ip+1]
ip += 2
elif op[ip] == 6:
ip += 1
elif op[ip] == 7:
s.add(check_num[check_numj] == op[ip+1])
check_numj += 1
ip += 2
elif op[ip] == 8:
x[j] = t
j += 1
ip += 1
elif op[ip] == 10:
ip += 1
elif op[ip] == 11:
t = x[index] - 1
ip += 1
elif op[ip] == 12:
t = x[index] + 1
ip += 1


if s.check() == sat:
m = s.model()
flag = ""
print(m)
for i in res:
flag += chr(m[i].as_long())
print(flag)

flag{757515121f3d478}